Synopsis: A server-side request forgery (SSRF) vulnerability against the MinIO server was discovered and has been fixed in RELEASE.2021-01-30T00-20-58Z.
Who is affected: All users of the MinIO server version RELEASE.2019-12-17T23-16-33Z or newer are affected. Users that have disabled the MinIO browser UI are not affected.
Recommended Action for Users: All users are advised to upgrade their MinIO deployments to the latest version. This issue is fixed in version RELEASE.2021-01-30T00-20-58Z.
Description: An unauthenticated STS client causes the MinIO server to send HTTP requests to an arbitrary domain. This may disclose internal infrastructure to clients and may be abused as an entry point for further attacks against other components.
Thanks to @phith0n from our community who discovered and reported this issue to our security team. A patch has been submitted that changes the STS implementation to no longer send HTTP requests, and instead, use information that is available locally. For more information take a look at our Github Security Advisory. The patch has been reviewed and accepted, and a new release has been made.
A successful exploit can be used disclose and reach (internal) systems that are accessible to the MinIO server. At the time of writing, this exploit has not been observed in the wild.